-640x358.jpg&w=1200&q=75)
The Flow Foundation has released a technical post-mortem on a December exploit that led to about $3.9m in losses.
The incident occurred on 27 December after an attacker exploited a protocol-level flaw in Flow’s Cadence runtime.
The flaw allowed assets to be duplicated rather than minted, bypassing supply controls without draining user balances.
Validators coordinated a network halt within six hours of the first malicious transaction.
Flow placed the blockchain into read-only mode to prevent further duplication and block exit routes.
Exchange partners froze most counterfeit tokens before they could be sold.
Operations resumed two days later under a governance-approved isolated recovery plan.
The process authorised the recovery and permanent destruction of counterfeit assets.
Flow said no legitimate user balances were compromised during the exploit.
More than 99% of accounts retained full access, while a small number were temporarily restricted as a precaution.
The Foundation said it has patched the vulnerability and added stricter runtime checks.
Additional regression testing, monitoring tools and bug-bounty programmes are being expanded.
The exploit weighed on the FLOW token, which dropped sharply following the incident.
Flow was launched by Dapper Labs in 2019 and gained prominence through NFT projects such as NBA Top Shot.
At the time of reporting, Flow price was $0.1011.